uer spiegei, uecemDer zu 13 

http://vwwv.spiegel.de/netzwelt/netzpolitik/quantumtheorv-wie-die-nsa-weltweit-rechner-hackt-a-941 149.html 
http://www.spiegel.de/fotostrecke/nsa-dokumente-so-uebernimmt-der-geheimdienst-fremde-rechner-fotostrecke-105329.html 
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1 (TS//SI//REL) Only R&T Analysts can submit QUANTUMTHEORY Tasking to the 
QUANTUM team. TOPI Analysts can submit QUANTUMNATION Tasking through 
Target Profiler. The biggest difference is QUANTUMTHEORY deploys a stagel implant 
called VALIDATOR (soon to be COMMONDEER) and QUANTUMNATION deploys a 
stageO implant called SEASONEDMOTH (SMOTH). SMOTHs die within 30 days of 
deployment unless requested to extend the life. 

4 (TS//SI//REL) This presentation does not cover FAA QUANTUM, but if you identify an 
active selector, compare the SIGAD in Marina to the SIGAD on the GO QUANTUM wiki 
page to see if FAA QUANTUM is an option. 

1 (TS//SI//REL) This presentation is geared towards targets seen at US- . If you are 
unfamiliar with this SIGAD, it is equivalent to a TS//NF SIGAD that cannot be 
mentioned in this PowerPoint. You can contact the POC of this brief for more 
information. 
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Web Browsing (Exploit with QUANTUM 

• The concept man-on-the-side) 

• QUANTUM is a man-on-the-side capability. If your target has a selector 
that is active in the last 14 days, vulnerable to the QUANTUM technique, 
and seen by an SSO site that has QUANTUM capabilities, then there might 
be the opportunity to detect that communication in real-time and piggy 
back with the requested content back into the target's network and 
implant the host. 

• QUANTUMTHEORY can be used only if a TAO Project is set up (must 
coordinate with your R&T Analyst) 

• QUANTUMNATION can be used regardless of a TAO Project (TOPI does the 
tasking in Target Profiler) 

• The biggest difference is QUANTUMTHEORY deploys a stagel implant 
called VALIDATOR (soon to be COMMONDEER) and QUANTUMNATION 
deploys a stageO implant called SEASONEDMOTH (SMOTH). SMOTHs die 
within 30 days of deployment unless requested to extend the life. The 
exploit technique is the same. 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 



Target 



Internet Router 



Yahoo’s 
Web Server 
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SSO Site 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 



1 Target logs into his 
Yahoo account 

% 

Target 



Internet Router 




SSO Site 
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Yahoo’s 
Web Server 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 



1. Target logs into his 
Yahoo account 




Target 




SSO Site 



2 . SSO site sees the 
QUANTUM tasked Yahoo 
selector's packet and forwards 
it to TAO s FOXACID Server 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 



4. Yahoo server receives the 
packet requesting email content 




TAO FOX ACID 



Server 

3. FOXACID injects a FOXACID url 
into the packet and sends it back to 
the target's computer 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 




Target 



5. FOXACID packet beats tine 
Yahoo packet back to ihe 




Internet Router 




SSO Site 




Yahoo’s 
Web Server 




TAO FOXACID 
Server 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 




Target 



6. The target's Yahoo webpage is 
loaded but in tie background the 
FOXACID URUoads which 



redirects to tie FOXACID Exploit 




Internet Router 




SSO Site 




Yahoo’s 



Web Server 




TAO FOXACID 
Server 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 




SSO Site 




Yahoo’s 
Web Server 




TAO F OXACID 
Server 

7. If the browser is exploitable 
and the PSP is safe, FOXACID 
deploys a Stage 1 implant back 
to the target 





What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 




Target 



Target Implanted! 





Server 



7. If the browser is exploitable 
and the PSP is safe, FOXACID 
deploys a Stage 1 implant back 
to the target 



1 




QUANTUM Capabilities - NSA 

(TS//SI//REL) NSA QUANTUM has the greatest success against <yahoo>, <facebook>, 
and Static IP Addresses. New QUANTUM realms are often changing, so check the GO 
quantum wiki page or the ouantumi spy Space page to get more up-to-date news. 



NSA QUANTUM is capable of targeting the following realms: 

IPv4_public • mailruMrcu 
alibabaForumUser • msnMailToken64 
doubleclickID 
emailAddr 
rocketmail 



hiSUid 

hotmailCID 

linkedin 

mail 

mailruMrcu 



• qq 

• facebook 

• simbarUuid 

• twitter 

• yahoo 
yahooBcookie 
ymail 

• youTube 



msnMailToken64 



WatcherlD 
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QUANTUMTHEORY - GCHQ 

If a Partnering Agreement Form (PAF) is set up with GCHQ for 
the CNO project, then the R&T Analyst can utilize GCHQ 
QUANTUMTHEORY to include additional capabilities such as: 

• • ALIBABA • AOL 

• • BEBO_EMAIL • DOUBLECLICK 

• • FACEBOOK CUSER • GOOGLE PREFID 

• • GMAIL • HIS 

• • HOTMAIL • LINKEDIN 

• • MAILRU • MICROSOFT_MUID 

• • MICROSOFT_ANONA • RAMBLER 

• • RADIUS • SIMBAR 

• • TWITTER • YAHOOB 

• • YAHOO_L/Y • YANDEX_EMAIL 

• • YOUTUBE • IP Address 



More information on: https://wiki.gchq/ ngi /QUANTUM BISCUIT 

If you cannot get to the link try: http:// 




TOP SECRET/JCOMINT^REL TO USA, FViV 



1G 



QUANTUM SIGDEV - QFDs 

SI//REL) Find all Selectors associated to your target (Yahoo, 



(TS//SI//REL) 



Yahoo B Cookies, Facebook, Hotmail, etc) using Marina, NSA or 
GCHQ QFDs. 

NSA SATC QFDs: 



ALTEREGO QFD: 4 M I 

GCHC 



Oueried Selector 

atue. 164> 
<ltue. 164> 
<itue. 164> 



Alternate Selector 

(facet oo)t> 
<lul> 
<yahoo> 



Oueried 

Selector 

Degree 



Alternate 

Selector 

Degree 



4 

6 

C7 



439 



Intersection 

2 

2 

(1 



Score 

n-ioai 



40 

CO 

59 



DOGCOLLAR QFD: 



Selector 

<fBi&QCb 



¥ 

DISPLAY m 



Enrichment Value 



Observations First Seen Date Last Seen Date 

m 2012m mmin 



Skip to Step 5 once you have all of your selectors... 
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QUANTUM SIGDEV- Marina 

Step 1 ; Skip to Step 5 if you used the QFDs to identify alternate selectors 

4 (TS//SI//REL) If you do not use the GCHQ or NSA QFDs you can use Marina. Run a 
Marina Selector/Identifier Profile (Federated) search for a 3 month range to look for 
additional selectors. 
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' (TS//SI//REL) Once the query finishes, look at the Equivalent IDs section. This will show 
you other selectors that your target is using. This is determined by linking content 
(logins/email registrations/etc). It is worth verifying that these are indeed selectors 
associated to your target. NSA QUANTUM works best against <yahoo> and 
<facebook>. Although, it is worth making note of a <gmail> selector for possible GCHQ 
QUANTUM support or for your own notes. 



Select or Summary: <— 16 
Web Cam Photov 0 
; [quivalenl IDs: 5 

Page 1 ol 1 

r~| Application 

2 

3 Q eMal 
« □ w 



New Selector 



Known Selector 



Fie(None^ Layout (Defaut) • QJ — ■ 1 •• - Visual re In • Save As* foals 
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Load Complete 
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*<SkypeLK*> 



tvoi aft id 
Kas drspiay run* 
has at id 
has al id 



<skypeMafloteft> 




k 



• • • «| • • • 9 f • • • • • | 






) 

l 



4 (TS//SI//REL) If your search was on a <yahoo> email address, then click on Machine 
IDs and look for a recent <yahooBcookie>. YahooBcookie's are unique to a specific 
computer and can hold other <yahoo> addresses that are being logged into on that 
computer as long as the user does not clear browser cookies. If you see multiple 
<yahooBcookie> pick the most recent Last Heard date. Also higher the Num Heard is, 
the more likely that selector does not change. 
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Unique Selectors Found: 

i i * = <yahoo> (Known Selector) 

, “ - 't'@gmail.com<google> (New Selector) 

, -i p* ■ <yahooBcookie> (New Selector] 




TOP SECRET//SI//REL USA, AUS, CAN, GBR, NZL 



ii 



p«Vi«lp-rat 1 1 >« ..V 

Pair? i or i 

1 | llppllc nfhnw 



New <google> selector 



M'i Non*/ 

■ / 

iv 



l* .«.* a JTJ ■ p 

, i-, z^nu-f J 

<y-«#>oo> 

vlX'Linn*4 Lfi-t --.-(jijtitikj > ^ 

« ificvpesiJfrr > 



Ai ~ *• »v - - 



^ • 






3M«u* Lo#c> CO*ne**to 

i nt'i.r n 

— 



I — j ef+sl 

n im 



i 

hvas- dlfDLay p-nm* 
fvm. Air ■ I 

al 1 »d 






nvr.LB i'l • - 1 m ■ - - 



(TS//SI//REL) Since ■ M@gmail.com<googie> is a new selector, you will want to 
do a Marina Selector Protile query on it to see if there are additional accounts 
associated to the target. Remember NSA QUANTUM cannot target the <googie> 
selector, 

(TS//SI//REL) 

You can do 
this by 

clicking on the 
selector, scroll 
down to Selector 
Profile, and click 
Range 



itfJWfltpflflLSpS .MV 


Pa ye 1 erf 1 


!/-:n*a - ■ . _ i ■ 


| Application 


Entity A 


1 ; eMail 
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(TS//SI//REL) Change the query to search for the last 3 Months and click SUBMIT 



Selector Profile Search 
Seipclor Profile 
Search Name: 

Xiitf teat ion: 

Start Dartc: 
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(TS//SI//REL) Once the query finishes, look at the Equivalent IDs section and make 
note of any new <yahoo>, <hotmail>, <yahooBcookie>, and <facebook> selectors and 
do the same process to identify additional selectors. 
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(TS//SI//REL) Once you have a list of your selector(s), you will want to look at each one 
separately to check for the likelihood of successfully exploiting your target via NSA 
QUANTUM. We are checking to see if the target itself is seen at US- and if it is active. 

(TS//SI//REL) First we want to run a Marina Active User/Presence (Federated) search on 

<facebook> for the past 14 days. 
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4 (TS//5I//REL) You will either have results or not have results. The key is to look at the 
SIGAD for the results and if the SIGAD is capable of doing QUANTUM then you most 
likely have a vulnerable target! To check for SIGADs that NSA and GCHQ QUANTUM 
can target, type GO QUANTUM in your browser If GCHQ QUANTUM is needed, then 
work with your R&T Analyst to follow the appropriate steps on the wiki to set up a PAR 

4 (TS//SI//REL) You will want to look at the Marina results and make note of the most 
frequent SI GAD/IP Cl DR for each Active User/Presence (Federated) query 

1) Selector 

a) SIGAD 

b) Active User IP Cl DR - The Cl DR will be added to the TLNs Whifelist. 

-A TLN's Whitelist is a list containing the IP CIDRs your target uses. It is where the 

FOXACID server will only continue with exploitation if the external IP Address of 
the target/redirection is on the Whitelist for the TLN your R&T Analyst requests. 




Is My Selector Tasked for 

QUANTUM? 

If you sent your R&T analyst a selector to task for 
QUANTUMTHEORY and you want to see if it has been tasked yet, 
you can enter the selector in Target Profiler and if you see "tasked 
for survey" and the Technique to be QUANTUMTHEORY or 
QUANTUMNATION then it is tasked! You can also see when the last 
FOXACID redirection took place. 
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QUANTUM NATION 

QUANTUM NATION! uses new TAO CNE tradecraft and automation to drive broad 
scale initial access, specifically an SSG cloud-analytic to identify selectors in SSO 
passive collection that are viable for end-point access, and the use of lightweight 
CNE implants to obtain initial access and survey data delivered to the TOPI offices 
via corporate SIGINT repositories. For More Information on QUANTUMNATION check 
the QUANTUMNATION wiki page 



Target Profiler now shows if a selector is vulnerable to a QUANTUM exploit. If your 
target is valid for QUANTUMNATION, A "Vulnerable 11 link in Target Profiler will 
appear Simply click the link that sends an email to request QUANTUMNATION 
tasking 

I <facebOOk> lc_<&_2G 15- fitfb-22 13.31 Eiu 1? 



■j li |nwr a b Ic 



□ 



Vulnerabilities 
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Note: QUANTUMNATION and standard QUANTUM tasking results in the same 
exploitation technique. The main difference is QUANTUMNATION deploys a stage 0 
implant and is able to be submitted by the TOPI. Any ios device will aiways get 
VALIDATOR deployed. 
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4 (TS//SI//REL) Once you have a selector,, SIGAD, and IP CiDR t you are ready to start 
the process for a FOXACID TLN and Tag request. 

d (TS//SI//REL) Depending on the teams, either an R&T analyst or the Branch Chief can 
create a TLN (Twisty Lobby Number). Contact your Branch Chief for information on 
creating a TLN for each selector you want to target 

4 (TS//SI//REL) Note: You will need 1 TLN and 1 FOXACID Tag per selector you task with 
QUANTUM. 
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Step 8: 

* (TS//SI//REL) Once you have a TLN, you will need to submit a FOXACID Tag request. 

- (TS//SI//REL) Go to hups:/ nsa/cgi-bin/ and fill out the appropriate 

information in the top and within the body of the ticket update this information accordingly. Here is an example: 

CT or Non-CT; Non-CT 
Second Party/Partnerinq: No 
Country Reqion/Typ e: 

FISA Target: No 
Ty pe of Op: QUANTUM 
Utilizing WPTT: No 
Project Name; 

TLN: 12345 “ Insert Your TLN 

IP Range: “ Insert Your Active User IP CIDR / WHITELIST 

MAC Addresses: Unknown 
Pavioad Reouested; Vai 

bqcs;BB 

MSP Support: No 
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(TS//SI//REL) Once the ticket is completed, you will receive an email with the FOXACID 
Tag for your TLN. 

4 (TS//SI//REL) Go to https:// !* ■ s .nsa.ic.gov, — l/index. php and 

fill out the appropriate information in the form to task your selector and tag for 
QUANTUM. 

4 (TS//SI//REL) Once your selector is tasked for QUANTUM you will see the status 
changed to complete. 

4 (TS//SI//REL) The last step it to monitor the TLN in FOXSEARCH 

https:// - .nsa ■ to look for 

redirections and update the plugins or WHITELIST if needed. 

(TS//SI//REL) De-task your QUANTUM request when you hook your target! 




